From 2f858938855a6b8a8b7d6448568c50e5c36f0986 Mon Sep 17 00:00:00 2001
From: Yuhan Yao <yaoyuhan@google.com>
Date: Fri, 3 Apr 2026 11:30:08 +0000
Subject: [PATCH 1/3] out_stackdriver: fix multiple memory leaks and potential
 corruption.

---
 plugins/out_stackdriver/gce_metadata.c     | 18 +++++++++---------
 plugins/out_stackdriver/stackdriver.c      |  5 +++++
 plugins/out_stackdriver/stackdriver_conf.c |  3 +++
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/plugins/out_stackdriver/gce_metadata.c b/plugins/out_stackdriver/gce_metadata.c
index 6032fe85069..207b8c69089 100644
--- a/plugins/out_stackdriver/gce_metadata.c
+++ b/plugins/out_stackdriver/gce_metadata.c
@@ -33,7 +33,7 @@
 
 static int fetch_metadata(struct flb_stackdriver *ctx,
                           struct flb_upstream *upstream, char *uri,
-                          char *payload)
+                          flb_sds_t *payload)
 {
     int ret;
     int ret_code;
@@ -44,15 +44,15 @@ static int fetch_metadata(struct flb_stackdriver *ctx,
     /* If runtime test mode is enabled, add test data */
     if (ctx->ins->test_mode == FLB_TRUE) {
         if (strcmp(uri, FLB_STD_METADATA_PROJECT_ID_URI) == 0) {
-            flb_sds_cat(payload, "fluent-bit-test", 15);
+             *payload = flb_sds_cat(*payload, "fluent-bit-test", 15);
             return 0;
         }
         else if (strcmp(uri, FLB_STD_METADATA_ZONE_URI) == 0) {
-            flb_sds_cat(payload, "projects/0123456789/zones/fluent", 32);
+            *payload = flb_sds_cat(*payload, "projects/0123456789/zones/fluent", 32);
             return 0;
         }
         else if (strcmp(uri, FLB_STD_METADATA_INSTANCE_ID_URI) == 0) {
-            flb_sds_cat(payload, "333222111", 9);
+            *payload = flb_sds_cat(*payload, "333222111", 9);
             return 0;
         }
         return -1;
@@ -88,7 +88,7 @@ static int fetch_metadata(struct flb_stackdriver *ctx,
         flb_plg_debug(ctx->ins, "HTTP Status=%i", c->resp.status);
         if (c->resp.status == 200) {
             ret_code = 0;
-            flb_sds_copy(payload, c->resp.payload, c->resp.payload_size);
+            *payload = flb_sds_copy(*payload, c->resp.payload, c->resp.payload_size);
         }
         else {
             if (c->resp.payload_size > 0) {
@@ -117,7 +117,7 @@ int gce_metadata_read_token(struct flb_stackdriver *ctx)
 
     uri = flb_sds_cat(uri, ctx->client_email, flb_sds_len(ctx->client_email));
     uri = flb_sds_cat(uri, "/token", 6);
-    ret = fetch_metadata(ctx, ctx->metadata_u, uri, payload);
+    ret = fetch_metadata(ctx, ctx->metadata_u, uri, &payload);
     if (ret != 0) {
         flb_plg_error(ctx->ins, "can't fetch token from the metadata server");
         flb_sds_destroy(payload);
@@ -147,7 +147,7 @@ int gce_metadata_read_zone(struct flb_stackdriver *ctx)
     flb_sds_t zone = NULL;
 
     ret = fetch_metadata(ctx, ctx->metadata_u, FLB_STD_METADATA_ZONE_URI,
-                         payload);
+                         &payload);
     if (ret != 0) {
         flb_plg_error(ctx->ins, "can't fetch zone from the metadata server");
         flb_sds_destroy(payload);
@@ -193,7 +193,7 @@ int gce_metadata_read_project_id(struct flb_stackdriver *ctx)
     flb_sds_t payload = flb_sds_create_size(4096);
 
     ret = fetch_metadata(ctx, ctx->metadata_u,
-                         FLB_STD_METADATA_PROJECT_ID_URI, payload);
+                         FLB_STD_METADATA_PROJECT_ID_URI, &payload);
     if (ret != 0) {
         flb_plg_error(ctx->ins, "can't fetch project id from the metadata server");
         flb_sds_destroy(payload);
@@ -210,7 +210,7 @@ int gce_metadata_read_instance_id(struct flb_stackdriver *ctx)
     flb_sds_t payload = flb_sds_create_size(4096);
 
     ret = fetch_metadata(ctx, ctx->metadata_u,
-                         FLB_STD_METADATA_INSTANCE_ID_URI, payload);
+                         FLB_STD_METADATA_INSTANCE_ID_URI, &payload);
     if (ret != 0) {
         flb_plg_error(ctx->ins, "can't fetch instance id from the metadata server");
         flb_sds_destroy(payload);
diff --git a/plugins/out_stackdriver/stackdriver.c b/plugins/out_stackdriver/stackdriver.c
index 1375ba2c463..be4a5d09e9a 100644
--- a/plugins/out_stackdriver/stackdriver.c
+++ b/plugins/out_stackdriver/stackdriver.c
@@ -1130,6 +1130,9 @@ static int pack_resource_labels(struct flb_stackdriver *ctx,
                 } else {
                     flb_plg_warn(ctx->ins, "failed to find a corresponding entry for "
                         "resource label entry [%s=%s]", label_kv->key, label_kv->val);
+                    if (rval) {
+                        flb_ra_key_value_destroy(rval);
+                    }
                 }
                 flb_ra_destroy(ra);
             } else {
@@ -2467,6 +2470,8 @@ static flb_sds_t stackdriver_format(struct flb_stackdriver *ctx,
                 flb_sds_destroy(log_name);
             }
 
+            destroy_http_request(&http_request);
+
             flb_log_event_decoder_destroy(&log_decoder);
             msgpack_sbuffer_destroy(&mp_sbuf);
 
diff --git a/plugins/out_stackdriver/stackdriver_conf.c b/plugins/out_stackdriver/stackdriver_conf.c
index 7c36b2e02b9..103232abeec 100644
--- a/plugins/out_stackdriver/stackdriver_conf.c
+++ b/plugins/out_stackdriver/stackdriver_conf.c
@@ -134,6 +134,9 @@ static int read_credentials_file(const char *cred_file, struct flb_stackdriver *
             ctx->creds->type = flb_sds_create_len(val, val_len);
         }
         else if (key_cmp(key, key_len, "project_id") == 0) {
+            if (ctx->project_id) {
+                flb_sds_destroy(ctx->project_id);
+            }
             ctx->project_id = flb_sds_create_len(val, val_len);
         }
         else if (key_cmp(key, key_len, "private_key_id") == 0) {

From 6440aedab30a72dcf8a6277d55e334c44523ace5 Mon Sep 17 00:00:00 2001
From: zkdlin211 <68074864+zkdlin211@users.noreply.github.com>
Date: Fri, 3 Apr 2026 07:55:15 -0400
Subject: [PATCH 2/3] Add write permissions for packages in integration test

Signed-off-by: zkdlin211 <68074864+zkdlin211@users.noreply.github.com>
---
 .github/workflows/master-integration-test.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/master-integration-test.yaml b/.github/workflows/master-integration-test.yaml
index 13905067dd4..84d4945ffea 100644
--- a/.github/workflows/master-integration-test.yaml
+++ b/.github/workflows/master-integration-test.yaml
@@ -29,6 +29,7 @@ jobs:
     needs: master-integration-test-build
     permissions:
       contents: read
+      packages: write
     uses: ./.github/workflows/call-run-integration-test.yaml
     with:
       image_name: ghcr.io/${{ github.repository }}/master

From 1c23f9756387f2078f62a5ecec99f812b97da054 Mon Sep 17 00:00:00 2001
From: zkdlin211 <68074864+zkdlin211@users.noreply.github.com>
Date: Fri, 3 Apr 2026 15:17:33 -0400
Subject: [PATCH 3/3] Update permissions in master integration test workflow

Removed package write permissions from integration test workflow.

Signed-off-by: zkdlin211 <68074864+zkdlin211@users.noreply.github.com>
---
 .github/workflows/master-integration-test.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/master-integration-test.yaml b/.github/workflows/master-integration-test.yaml
index 84d4945ffea..13905067dd4 100644
--- a/.github/workflows/master-integration-test.yaml
+++ b/.github/workflows/master-integration-test.yaml
@@ -29,7 +29,6 @@ jobs:
     needs: master-integration-test-build
     permissions:
       contents: read
-      packages: write
     uses: ./.github/workflows/call-run-integration-test.yaml
     with:
       image_name: ghcr.io/${{ github.repository }}/master